Overview

overview

10

Static

static

3

7053b17a43...a1.exe

windows7-x64

10

7053b17a43...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2024 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe

  • Size

    96KB

  • MD5

    c44cdf5463ca0606e35f53d6fba274b2

  • SHA1

    e0209a5260253ae6581e0a6b34daf683e1f3bc63

  • SHA256

    7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1

  • SHA512

    72e316391de38d54cf2954cbc5be34585b2486387d87868219aecefcc42c51b9601658940997a4f174975c3ad42ec3cf7c19662fb803741f56b8517fd04ad39b

  • SSDEEP

    1536:YnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:YGs8cd8eXlYairZYqMddH13B

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
    "C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4120
    • C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
      C:\Users\Admin\AppData\Local\Temp\7053b17a43322fd66b9c2117e2b62a20e08c176963856be25562d696040bf9a1.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3936
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4672
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3168
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3468
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2816
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 252
                  8⤵
                  • Program crash
                  PID:3868
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 292
              6⤵
              • Program crash
              PID:1472
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 288
          4⤵
          • Program crash
          PID:1748
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 288
      2⤵
      • Program crash
      PID:1896
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4120 -ip 4120
    1⤵
      PID:4076
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3936 -ip 3936
      1⤵
        PID:1508
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2160 -ip 2160
        1⤵
          PID:3916
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3468 -ip 3468
          1⤵
            PID:2296

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            3f64a5ea07124ad3eb526ed18790bd50

            SHA1

            cd6dd1692041995bcbe15c4804afac3b36559edf

            SHA256

            aca34b6f8e538bdf07d275810ec95fabcadd27b842703676de5fe1bad288a668

            SHA512

            c3ae7bd232b501c0992d55da95da27a0df2ff26af508d51a2930f7e1952858d953363d42eae0a8b4b36e906b9d7632e9acdf5e9b5d02b112d88963471a1394cb

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            a42941588f9c7f3e8d6c0f37ffc441a1

            SHA1

            108d0dc9f793762e5b67ec0cec3f80884d55e43b

            SHA256

            59a952763aa384b0c2c1e6d9017a22fb85aef0e13ab18431c63eb215d3f5f6be

            SHA512

            90aac23129a9cc945957e334fb126fbac6968620fab7857a8a23e3010440e576c24638c038344263ea2b6595520dc66036e5ccf59c93df76c750faaec45cb775

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            13d917dea739bfc45c3cd08a42d00fa8

            SHA1

            6e6430f9490785868652fde3f9b6196130ed9d9a

            SHA256

            9beefa7d0891866307c7e59d6874386246dc893de1b60d9c61e1976f279e264c

            SHA512

            87d78e7fe261570f81bf50b36920a25dad6e3a7b54a77d00a697f853b0087690ba490f0c719fa859e884b0cfbfd1f01e127ff21b675f27eaed40dcc770844a9d

            Download Submit

          • memory/1484-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1484-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1484-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1484-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2160-30-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2160-50-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2816-47-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2816-52-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2816-55-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2816-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3168-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3168-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3168-41-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3468-51-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3468-43-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3936-16-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3936-11-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4120-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4120-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4672-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4672-29-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4672-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4672-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4672-21-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4672-18-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4672-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download